Access denied. delegation scenario accessing to a shared resource in cluster

Discussion in 'ASP .Net Security' started by jose.cortijo@gmail.com, Aug 11, 2006.

  1. Guest

    Hi,
    I have an asp.net app and in one aspx I need to read and write in a
    shared direcotry in a cluster.
    My code is the following:

    log.Debug("I am...." +
    System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
    FileInfo[] archivos = raiz.GetFiles();

    I set the delegation to the users, servers, modify the web.conf but
    what can I do access to the cluster shared directory.

    After read tons of documentation:

    How to configure an ASP.NET application for a delegation scenario
    http://support.microsoft.com/kb/810572/
    Authentication delegation through Kerberos does not work in
    load-balanced architectures
    http://support.microsoft.com/kb/325608/
    Kerberos authentication and troubleshooting delegation issues
    http://support.microsoft.com/kb/907272/en-us
    .....

    Is it imposible to do it? I read the workaround of accesing to the
    fully qualified domain name (FQDN) but in my system adm doesnt allo me
    to do it.

    I tried to impersonate by code with new credentials using the following
    code:

    [DllImport("advapi32.dll", SetLastError = true)]
    public static extern bool LogonUser(String lpszUsername, String
    lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
    ref IntPtr phToken);

    [DllImport("kernel32.dll", CharSet =
    System.Runtime.InteropServices.CharSet.Auto)]
    private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
    lpSource,
    int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
    IntPtr* Arguments);

    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    public extern static bool CloseHandle(IntPtr handle);

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
    true)]
    public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);

    private static WindowsImpersonationContext impersonatedUser;
    private static IntPtr tokenHandle;

    private static int iDesImpersonar()
    {
    // Stop impersonating the user.
    impersonatedUser.Undo();


    // Free the tokens.
    if (tokenHandle != IntPtr.Zero)
    CloseHandle(tokenHandle);
    return 1;
    }

    private static int iImpersonar(string psUsuario,string psPassword)
    {
    IntPtr dupeTokenHandle = new IntPtr(0);
    try
    {
    string userName, domainName;
    domainName = psUsuario.Split("\\".ToCharArray())[0];
    userName = psUsuario.Split("\\".ToCharArray())[1];


    const int LOGON32_PROVIDER_DEFAULT = 0;
    //This parameter causes LogonUser to create a primary token.
    const int LOGON32_LOGON_INTERACTIVE = 2;

    tokenHandle = IntPtr.Zero;

    // Call LogonUser to obtain a handle to an access token.
    bool returnValue = LogonUser(userName, domainName, psPassword,
    LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
    ref tokenHandle);


    if (false == returnValue)
    {
    int ret = Marshal.GetLastWin32Error();
    Console.WriteLine("LogonUser failed with error code : {0}", ret);
    throw new System.ComponentModel.Win32Exception(ret);
    }


    // Use the token handle returned by LogonUser.
    WindowsIdentity newId = new WindowsIdentity(tokenHandle);
    impersonatedUser = newId.Impersonate();


    return 1;

    }
    catch(Exception ex)
    {
    Console.WriteLine("Exception occurred. " + ex.Message);
    return 0;
    }

    }
    but now when I execute

    iImpersonar(@"DOMAIN\user1","jdf0tj07"));
    I get an access error executing
    log.Debug("I am...." +
    System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    It shows like I don't have enough rights to execute WindowsIdentity...

    what Can I do to set some credentials to access to the shared resource
    in cluster and afterwards continue with my impersonate/delegation
    webapp??

    Thanks in advance.
    Jose
     
    , Aug 11, 2006
    #1
    1. Advertising

  2. You should be able to delegate to the remote resource, but it requires that
    your web server can do a Kerberos authentication to the remote resource
    (file system in this case). Depending on how your web server is configured
    for delegation (whether you can use protocol transition in this case), you
    may also need to ensure that you can authenticate the clients to the web
    application via Kerberos too.

    Do you know if you AD is 2003 or not? Can you do protocol transition (S4U)
    and constrained delegation? That changes your options a little bit from the
    web server perspective. Also, how is the web server process account
    configured for delegation (Kerberos-only or "any protocol")?

    The best debugging technique is to enable logon event auditing on both the
    web server and the cluster server and find out what kind of authentication
    is being performed. You'll see NTLM or Kerberos and other details. It is
    especially important that you can authenticate to the backend via Kerberos
    if you want to delegate.

    Unfortunately, troubleshooting Kerberos authentication and delegation
    scenarios can be pretty painful, but it can be done and it does with with
    the file system (as well as other services like LDAP, SQL and HTTP).

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Hi,
    > I have an asp.net app and in one aspx I need to read and write in a
    > shared direcotry in a cluster.
    > My code is the following:
    >
    > log.Debug("I am...." +
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    > DirectoryInfo raiz = new DirectoryInfo(ruta_Excel);
    > FileInfo[] archivos = raiz.GetFiles();
    >
    > I set the delegation to the users, servers, modify the web.conf but
    > what can I do access to the cluster shared directory.
    >
    > After read tons of documentation:
    >
    > How to configure an ASP.NET application for a delegation scenario
    > http://support.microsoft.com/kb/810572/
    > Authentication delegation through Kerberos does not work in
    > load-balanced architectures
    > http://support.microsoft.com/kb/325608/
    > Kerberos authentication and troubleshooting delegation issues
    > http://support.microsoft.com/kb/907272/en-us
    > ....
    >
    > Is it imposible to do it? I read the workaround of accesing to the
    > fully qualified domain name (FQDN) but in my system adm doesnt allo me
    > to do it.
    >
    > I tried to impersonate by code with new credentials using the following
    > code:
    >
    > [DllImport("advapi32.dll", SetLastError = true)]
    > public static extern bool LogonUser(String lpszUsername, String
    > lpszDomain, String lpszPassword,int dwLogonType, int dwLogonProvider,
    > ref IntPtr phToken);
    >
    > [DllImport("kernel32.dll", CharSet =
    > System.Runtime.InteropServices.CharSet.Auto)]
    > private unsafe static extern int FormatMessage(int dwFlags, ref IntPtr
    > lpSource,
    > int dwMessageId, int dwLanguageId, ref String lpBuffer, int nSize,
    > IntPtr* Arguments);
    >
    > [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    > public extern static bool CloseHandle(IntPtr handle);
    >
    > [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError =
    > true)]
    > public extern static bool DuplicateToken(IntPtr ExistingTokenHandle,
    > int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
    >
    > private static WindowsImpersonationContext impersonatedUser;
    > private static IntPtr tokenHandle;
    >
    > private static int iDesImpersonar()
    > {
    > // Stop impersonating the user.
    > impersonatedUser.Undo();
    >
    >
    > // Free the tokens.
    > if (tokenHandle != IntPtr.Zero)
    > CloseHandle(tokenHandle);
    > return 1;
    > }
    >
    > private static int iImpersonar(string psUsuario,string psPassword)
    > {
    > IntPtr dupeTokenHandle = new IntPtr(0);
    > try
    > {
    > string userName, domainName;
    > domainName = psUsuario.Split("\\".ToCharArray())[0];
    > userName = psUsuario.Split("\\".ToCharArray())[1];
    >
    >
    > const int LOGON32_PROVIDER_DEFAULT = 0;
    > //This parameter causes LogonUser to create a primary token.
    > const int LOGON32_LOGON_INTERACTIVE = 2;
    >
    > tokenHandle = IntPtr.Zero;
    >
    > // Call LogonUser to obtain a handle to an access token.
    > bool returnValue = LogonUser(userName, domainName, psPassword,
    > LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT,
    > ref tokenHandle);
    >
    >
    > if (false == returnValue)
    > {
    > int ret = Marshal.GetLastWin32Error();
    > Console.WriteLine("LogonUser failed with error code : {0}", ret);
    > throw new System.ComponentModel.Win32Exception(ret);
    > }
    >
    >
    > // Use the token handle returned by LogonUser.
    > WindowsIdentity newId = new WindowsIdentity(tokenHandle);
    > impersonatedUser = newId.Impersonate();
    >
    >
    > return 1;
    >
    > }
    > catch(Exception ex)
    > {
    > Console.WriteLine("Exception occurred. " + ex.Message);
    > return 0;
    > }
    >
    > }
    > but now when I execute
    >
    > iImpersonar(@"DOMAIN\user1","jdf0tj07"));
    > I get an access error executing
    > log.Debug("I am...." +
    > System.Security.Principal.WindowsIdentity.GetCurrent().Name);
    > It shows like I don't have enough rights to execute WindowsIdentity...
    >
    > what Can I do to set some credentials to access to the shared resource
    > in cluster and afterwards continue with my impersonate/delegation
    > webapp??
    >
    > Thanks in advance.
    > Jose
    >
     
    Joe Kaplan \(MVP - ADSI\), Aug 12, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?a21jY29za2V5?=

    ACCESS AN ACCESS DATABASE FROM ASP.NET INTRANET SCENARIO

    =?Utf-8?B?a21jY29za2V5?=, Apr 24, 2007, in forum: ASP .Net
    Replies:
    7
    Views:
    493
    =?Utf-8?B?a21jY29za2V5?=
    Apr 30, 2007
  2. kmccoskey
    Replies:
    2
    Views:
    280
    Paul Clement
    Apr 27, 2007
  3. Jazza
    Replies:
    3
    Views:
    307
    Dominick Baier
    Jun 13, 2007
  4. bradjpeek
    Replies:
    0
    Views:
    181
    bradjpeek
    Dec 20, 2006
  5. Sam Roberts
    Replies:
    4
    Views:
    333
    Sam Roberts
    May 7, 2008
Loading...

Share This Page